HDFS-10683. Make class Token$PrivateToken private. Contributed by John Zhuge.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/c5ca2169 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/c5ca2169 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/c5ca2169 Branch: refs/heads/YARN-2915 Commit: c5ca2169151a5eec57152775789b6f53664e102c Parents: e68c7b9 Author: Wei-Chiu Chuang <weic...@apache.org> Authored: Wed Oct 5 17:35:43 2016 -0700 Committer: Wei-Chiu Chuang <weic...@apache.org> Committed: Wed Oct 5 17:36:50 2016 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/security/Credentials.java | 8 +-- .../hadoop/security/UserGroupInformation.java | 2 +- .../org/apache/hadoop/security/token/Token.java | 60 +++++++++++++++++--- .../security/TestUserGroupInformation.java | 6 +- .../java/org/apache/hadoop/hdfs/HAUtil.java | 5 +- 5 files changed, 61 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/c5ca2169/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java index 5a8e81f..8e12ef1 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java @@ -104,12 +104,8 @@ public class Credentials implements Writable { for (Map.Entry<Text, Token<? extends TokenIdentifier>> e : tokenMap.entrySet()) { Token<? extends TokenIdentifier> token = e.getValue(); - if (token instanceof Token.PrivateToken && - ((Token.PrivateToken) token).getPublicService().equals(alias)) { - Token<? extends TokenIdentifier> privateToken = - new Token.PrivateToken<>(t); - privateToken.setService(token.getService()); - tokensToAdd.put(e.getKey(), privateToken); + if (token.isPrivateCloneOf(alias)) { + tokensToAdd.put(e.getKey(), t.privateClone(token.getService())); } } tokenMap.putAll(tokensToAdd); http://git-wip-us.apache.org/repos/asf/hadoop/blob/c5ca2169/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index bcdfd53..637e3fa 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1584,7 +1584,7 @@ public class UserGroupInformation { Credentials creds = new Credentials(getCredentialsInternal()); Iterator<Token<?>> iter = creds.getAllTokens().iterator(); while (iter.hasNext()) { - if (iter.next() instanceof Token.PrivateToken) { + if (iter.next().isPrivate()) { iter.remove(); } } http://git-wip-us.apache.org/repos/asf/hadoop/blob/c5ca2169/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java index 784e797..713fb20 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java @@ -223,22 +223,66 @@ public class Token<T extends TokenIdentifier> implements Writable { } /** + * Whether this is a private token. + * @return false always for non-private tokens + */ + public boolean isPrivate() { + return false; + } + + /** + * Whether this is a private clone of a public token. + * @param thePublicService the public service name + * @return false always for non-private tokens + */ + public boolean isPrivateCloneOf(Text thePublicService) { + return false; + } + + /** + * Create a private clone of a public token. + * @param newService the new service name + * @return a private token + */ + public Token<T> privateClone(Text newService) { + return new PrivateToken<>(this, newService); + } + + /** * Indicates whether the token is a clone. Used by HA failover proxy * to indicate a token should not be visible to the user via * UGI.getCredentials() */ - @InterfaceAudience.Private - @InterfaceStability.Unstable - public static class PrivateToken<T extends TokenIdentifier> extends Token<T> { + static class PrivateToken<T extends TokenIdentifier> extends Token<T> { final private Text publicService; - public PrivateToken(Token<T> token) { - super(token); - publicService = new Text(token.getService()); + PrivateToken(Token<T> publicToken, Text newService) { + super(publicToken.identifier, publicToken.password, publicToken.kind, + newService); + assert !publicToken.isPrivate(); + publicService = publicToken.service; + if (LOG.isDebugEnabled()) { + LOG.debug("Cloned private token " + this + " from " + publicToken); + } } - public Text getPublicService() { - return publicService; + /** + * Whether this is a private token. + * @return true always for private tokens + */ + @Override + public boolean isPrivate() { + return true; + } + + /** + * Whether this is a private clone of a public token. + * @param thePublicService the public service name + * @return true when the public service is the same as specified + */ + @Override + public boolean isPrivateCloneOf(Text thePublicService) { + return publicService.equals(thePublicService); } @Override http://git-wip-us.apache.org/repos/asf/hadoop/blob/c5ca2169/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index 09a5807..a52cd46 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -890,8 +890,10 @@ public class TestUserGroupInformation { ugi.addToken(new Text("regular-token"), token); // Now add cloned private token - ugi.addToken(new Text("private-token"), new Token.PrivateToken<TestTokenIdentifier>(token)); - ugi.addToken(new Text("private-token1"), new Token.PrivateToken<TestTokenIdentifier>(token)); + Text service = new Text("private-token"); + ugi.addToken(service, token.privateClone(service)); + Text service1 = new Text("private-token1"); + ugi.addToken(service1, token.privateClone(service1)); // Ensure only non-private tokens are returned Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens(); http://git-wip-us.apache.org/repos/asf/hadoop/blob/c5ca2169/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java index 7b65abf..ea535e9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java @@ -29,6 +29,7 @@ import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RPC_BIND_HOST_KE import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_BIND_HOST_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SHARED_EDITS_DIR_KEY; +import static org.apache.hadoop.security.SecurityUtil.buildTokenService; import java.io.IOException; import java.net.InetSocketAddress; @@ -56,7 +57,6 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.ipc.RemoteException; import org.apache.hadoop.ipc.StandbyException; -import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; @@ -281,8 +281,7 @@ public class HAUtil { // exposed to the user via UGI.getCredentials(), otherwise these // cloned tokens may be inadvertently propagated to jobs Token<DelegationTokenIdentifier> specificToken = - new Token.PrivateToken<DelegationTokenIdentifier>(haToken); - SecurityUtil.setTokenService(specificToken, singleNNAddr); + haToken.privateClone(buildTokenService(singleNNAddr)); Text alias = new Text( HAUtilClient.buildTokenServicePrefixForLogicalUri( HdfsConstants.HDFS_URI_SCHEME) --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
